Leaving a data center is not a lift-and-shift script — it is a discovery problem, a networking problem, a data-gravity problem, and a cutover problem, in that order. This page walks the real sequence a senior migration engineer follows: inventory with Application Discovery Service, pick the path (VMware Cloud on AWS or Outposts for hybrid, MGN rehost for physical/VMs, selective refactor), wire the network with Direct Connect + Transit Gateway, move terabytes with DataSync and Snowball, and cut over with a rollback plan. A MAP-funded AWS partner does the work — the assessment is typically free and AWS credits a large share of the migration cost.
Almost no one migrates a data center because a slide deck told them to. They migrate because a concrete cost event is bearing down — and AWS is cheaper than re-signing for another five years of metal.
The most common trigger is a hardware-refresh cliff. A storage array hits end-of-support, the hypervisor hosts are off warranty, the colocation contract renews, or the lease on the building itself is up. At that moment the CFO is staring at a six- or seven-figure capital outlay to buy the next generation of gear that will sit at 15–25% average utilization — the same dismal utilization every on-prem estate runs at, because you size for peak and pay for it 24/7/365.
AWS reframes that outlay. Instead of a capital purchase you depreciate over five years, you move to consumption-based operating expense — you pay for what runs, you switch it off at night for non-production, and you stop pre-buying headroom you will not use for three years. For a typical mid-market estate the line items that vanish are real: the refresh capex itself, the data-center power and cooling, the hardware maintenance contracts, the SAN licensing, and a meaningful slice of the staff hours spent racking, patching firmware, and chasing failed disks.
The second trigger is risk: a single facility with one power feed, aging UPS batteries, and a disaster-recovery plan that is really a spreadsheet and a prayer. Rebuilding that resilience on-prem means buying a second data center. On AWS it means deploying across Availability Zones and codifying DR with services like Elastic Disaster Recovery — capability you rent instead of build.
The honest caveat: AWS is not automatically cheaper if you forklift a badly-utilized estate as-is and never right-size. A naive lift-and-shift of over-provisioned VMs can cost more than the data center for the first few months. The savings come from right-sizing during discovery, switching off idle capacity, and committing to Savings Plans once the steady-state shape is known. That is exactly the work a MAP-funded partner does — and it is why the Assess phase pays for itself.
Every credible data-center migration starts with an inventory and a dependency map. The deliverable is not a list of servers — it is a list of applications, what they talk to, and how busy they actually are.
AWS Application Discovery Service is the workhorse here. It runs two ways. The agentless collector ships as a VMware OVA that you deploy into vCenter; it reads VM inventory, configuration, and performance metrics without touching the guests — ideal for a first pass across a large vSphere estate. The agent-based path installs a lightweight Discovery Agent on each server (Linux or Windows, physical or virtual) and captures far richer data: running processes, established TCP connections, and per-process network traffic. That connection data is what produces the dependency graph.
The reason the dependency graph matters is wave planning. Applications are rarely self-contained — the web tier talks to an app tier, which talks to a database, which is also read by a nightly batch job on a server nobody remembers owning. If you migrate the database and leave the batch job behind, you have just opened a high-latency link across the internet between two halves of one system. Discovery surfaces those edges so you can group tightly-coupled components into the same migration wave and cut them over together.
Discovery also feeds the business case. Application Discovery Service exports utilization data into AWS Migration Hub, where you can model right-sized EC2 instance recommendations and a defensible TCO. This is where over-provisioning gets caught: the eight-vCPU VM running at 6% becomes a right-sized instance, and the as-is bill becomes a real bill. Plan on roughly two to four weeks of data collection for a mid-sized estate — long enough to capture month-end and weekend peaks, not just a quiet Tuesday.
The output of this phase is a portfolio sorted by the 7 Rs, with each application tagged for its path and its wave. Most teams find the bulk of the estate lands on Rehost or Replatform, a long tail gets Retired (servers running nothing of value — there are always more than expected), a few stay Retained on-prem for now, and a small, deliberate set is marked Refactor for later.
Retire (decommission dead servers), Retain (leave on-prem for now), Rehost (lift-and-shift with MGN), Relocate (move vSphere VMs to VMware Cloud on AWS unchanged), Repurchase (swap to SaaS), Replatform (lift-tinker-shift — e.g. self-managed DB to RDS), Refactor (re-architect for cloud-native). Start Rehost/Replatform; refactor selectively, after the lift, where the ROI is obvious.
Once the portfolio is sorted, every workload routes down one of three paths. Real estates use a blend; the skill is matching each application to the right one rather than forcing the whole data center through a single door.
The choice turns on two questions: are you a VMware shop, and does the workload have a hard constraint that keeps it close to the on-prem world (single-digit-millisecond latency to a factory floor, data-residency rules, a license tied to physical hardware)? Those two answers point at the three paths below.
For: shops with a large vSphere investment and a deadline. VMware Cloud on AWS runs the full VMware SDDC stack — vSphere, vSAN, NSX — on dedicated AWS bare-metal hosts.
Why: you relocate live VMs with VMware HCX with little or no change, keep your existing operational tooling and runbooks, and avoid re-platforming under time pressure. It is the fastest way to evacuate a vSphere data center.
Reality check: it is a stepping stone, not the destination. You keep paying for VMware-shaped infrastructure; the cloud-native cost wins come later, when you modernize selected workloads off VMware onto native EC2/RDS/EKS at your own pace.
For: the workloads that genuinely cannot leave — sub-millisecond latency to local equipment, strict data-residency requiring data to stay in your building, or a regulator that has not yet blessed the public region.
Why: AWS Outposts puts a rack of AWS hardware in your own data center, running native AWS services (EC2, EBS, RDS on Outposts, EKS) with the same APIs and control plane as the region. You get the AWS operating model on-prem and a clean path to fold those workloads into the region later, when the constraint lifts.
Reality check: Outposts is a hybrid bridge, not a place to park the whole estate. It carries its own cost and you still own the facility around it. Use it for the principled exceptions, migrate everything else.
For: everything else — bare-metal servers, Hyper-V, KVM, or VMware VMs you would rather land directly on native EC2.
Why: AWS Application Migration Service (MGN) installs a lightweight agent on each source server and continuously replicates the full disk, block-level, into a staging area in your AWS account. Because replication is continuous and non-disruptive, the source keeps running while data syncs in the background. When you are ready you launch a test instance, validate it, then schedule the production cutover with a cutover window measured in minutes, not days.
Reality check: rehost gets you to AWS quickly but it inherits the application as-is — same OS, same architecture, same tech debt. That is fine, and intentional: get into AWS first, then replatform databases to RDS and refactor the high-value services on a steady cadence. Boiling the ocean during the lift is how migrations die.
The migration toolchain is a small, well-defined set of services. Here is what each one is for, mapped to the phase of the data-center exit where you reach for it.
Everything is orchestrated through AWS Migration Hub, which gives a single dashboard of every server and application across the discovery, replication, and cutover phases — so the program lead can see wave status without logging into five consoles.
| Service | Phase | Job it does |
|---|---|---|
| Application Discovery Service | Discover | Inventory + utilization + network dependency map (agentless OVA or per-server agent) |
| Migration Hub | All | Single pane of glass — track every server/app across discovery → cutover |
| Application Migration Service (MGN) | Migrate | Agent-based, block-level rehost of physical + VM servers to native EC2 |
| VMware Cloud on AWS + HCX | Migrate | Relocate live vSphere VMs unchanged onto AWS bare-metal |
| AWS Outposts | Retain (hybrid) | Native AWS hardware in your facility for latency/residency-bound workloads |
| Database Migration Service (DMS) + SCT | Replatform | Move databases (incl. heterogeneous, e.g. Oracle → Aurora) with low downtime |
| DataSync | Transfer | Online bulk file/object transfer over the network (NFS/SMB/HDFS → S3/EFS/FSx) |
| Snowball Edge | Transfer | Offline transfer of large datasets when the network would take too long |
| Elastic Disaster Recovery (DRS) | Resilience | Continuous replication for cross-AZ/region DR with fast failback |
During a migration you run hybrid for weeks or months — half the system on AWS, half still on-prem. The network between them has to be fast, private, and predictable, or the dependency edges you mapped in discovery turn into latency complaints.
The default secure on-ramp is an AWS Site-to-Site VPN: IPsec tunnels from your on-prem firewall to a VPN gateway on AWS, encrypted over the public internet. It stands up in hours and is perfect for the early phases, for management traffic, and as a backup. Its limits are the public internet itself — variable latency and bandwidth capped around 1.25 Gbps per tunnel.
When you are moving terabytes and running latency-sensitive hybrid links, you provision AWS Direct Connect: a dedicated private circuit (1, 10, or 100 Gbps) from your data center into AWS that never touches the public internet. The catch is lead time — physical cross-connects take weeks to provision through a Direct Connect location, so this is something the partner orders early in Mobilize, not the week of cutover. A common pattern is Direct Connect for the bulk and steady-state traffic with a VPN as encrypted failover.
Tying it together is AWS Transit Gateway — a regional hub that connects your VPCs and your on-prem connections (both VPN and Direct Connect) through one routing point instead of a brittle mesh of peering connections. As you spin up landing-zone VPCs for production, shared services, and security tooling, Transit Gateway is what keeps the routing sane and lets you attach the on-prem side once and reach everything.
This all lands inside a properly structured landing zone — a multi-account AWS foundation with the network, identity, logging, and guardrails set up before any workload arrives. Migrating into a single flat account is a mistake you pay for later; a partner stands up the landing zone during Mobilize so the first wave has somewhere safe to land.
Compute is portable; data has gravity. The largest single variable in a data-center exit is how long it takes to move the file shares, the object stores, and the databases — and whether the network can carry it in the window you have.
Do the arithmetic before you pick a tool. A 100 TB file share over a 1 Gbps link, even at a generous 80% sustained throughput, takes well over a week of continuous transfer — and that is before the migration traffic competes with your day-job traffic. Bandwidth, not cleverness, is usually the constraint.
For online transfer, AWS DataSync is the right tool for file and object data. It is a managed agent that moves data from NFS, SMB, and HDFS sources into S3, EFS, or FSx, with built-in encryption, integrity verification, scheduling, and incremental sync so you can pre-seed once and then top up the delta right before cutover. DataSync saturates the link you give it and handles the retry/verification work you would otherwise script by hand.
When the dataset is large enough that the network would take weeks — or when you simply do not have the bandwidth to spare — you ship it physically with AWS Snowball Edge. AWS sends a ruggedized, encrypted appliance; you copy data onto it on the local network at LAN speed, ship it back, and AWS loads it into S3. For multi-hundred-terabyte and petabyte moves, the express-shipping latency of a physical box beats the wire. A frequent hybrid pattern is Snowball for the cold bulk and DataSync for the warm delta and the final catch-up.
Databases get their own treatment via AWS Database Migration Service (DMS). DMS performs a full load and then switches to ongoing change-data-capture, replicating live transactions from the source so the target stays in sync while the application keeps running — that continuous replication is what shrinks the cutover window from days to minutes. For heterogeneous moves (for example consolidating an expensive Oracle estate onto Aurora PostgreSQL), the Schema Conversion Tool converts schema and stored code first; the heterogeneous conversion is the genuinely hard part and the line item most worth a specialist.
Both MGN (servers) and DMS (databases) work by replicating continuously while the source stays live, then doing a tiny final sync at cutover. That is the entire trick to a short maintenance window: you are not copying terabytes during the outage — you copied them last week and you are only flushing the last few minutes of changes now.
Leaving the data center is also the moment you fix the disaster-recovery story you have been quietly worried about, and the moment the compliance posture either gets easier or gets harder. Plan both deliberately.
On-prem DR usually means a second site you half-built, tape you hope restores, or an RTO measured in days. On AWS, AWS Elastic Disaster Recovery (DRS) continuously replicates your servers into a low-cost staging area in another Availability Zone or Region and lets you fail over in minutes and fail back when the incident clears. Spreading production across multiple AZs turns single-facility risk into something you configure rather than something you fear. Pair that with codified backups and you have replaced the spreadsheet-and-a-prayer plan with a tested one.
Compliance can move either direction. AWS inherits and certifies the physical and infrastructure layer — SOC 2, ISO 27001, PCI DSS, HIPAA-eligible services, and regional frameworks — which removes a large chunk of the audit surface you used to own when you ran the building. But the shared-responsibility model is real: AWS secures the cloud, you secure what you put in it. Misconfigured S3 buckets, over-broad IAM, and unencrypted volumes are your problem, not theirs.
Data residency is the constraint to nail early. If a regulator requires data to stay in-country, you choose the in-country Region (or, for the narrow cases that cannot use the public region yet, Outposts in your own facility) and you design the network so regulated data never leaves the boundary. This is exactly why discovery tags each application with its compliance constraints before any wave is scheduled — you do not want to find out a workload was in scope for a residency rule the night of its cutover.
A partner sets this up as guardrails in the landing zone — encryption-by-default, centralized logging to a dedicated account, config rules that flag drift, and identity wired to your existing directory — so the estate lands compliant rather than getting retrofitted after an auditor finds the gaps.
The cutover is the part everyone fears and the part good preparation makes boring. By the time you flip traffic, the data has been replicating for weeks and the target has already been tested. Then there is who pays for all of it.
A clean cutover runs to a runbook. You pick a low-traffic maintenance window. You stop the source application to freeze writes. MGN and DMS flush their final delta so the AWS side is byte-current. You launch the production instances from the replicated images, re-point DNS (with a low TTL set days earlier so the change propagates fast), and run a scripted smoke test against the new stack. If the validation passes, you open traffic; if it fails, you roll back to the still-intact source — which is why you never decommission on-prem until the AWS side has run clean in production for an agreed soak period.
Migrate in waves, not in one heroic weekend. The first wave is deliberately low-risk — internal tools, a non-critical app — so the team exercises the runbook, the network, and the rollback on something forgiving. Confidence and velocity build from there; the crown-jewel systems go in a later wave, once the path is proven.
Now the economics that make this an easy yes. The AWS Migration Acceleration Program (MAP) is structured in three phases — Assess (build the TCO and readiness case, typically free), Mobilize (stand up the landing zone, run a pilot wave), and Migrate & Modernize (production at scale). For qualifying migrations AWS provides funding and credits that scale with the size of the migration and are delivered through an AWS partner under the Partner Network. In practice that means the assessment costs you nothing and AWS credits a large share of the migration and modernization spend.
Honest framing: MAP funding applies to qualifying migrations — typically those with a meaningful committed AWS spend after the move — and the exact funding is scoped during Assess against your portfolio. Where it qualifies, the customer migrates at little-to-no cost because the partner is paid through MAP. Where it does not, CloudRoute still routes you to a vetted partner who runs the cutover and de-risks the project. Either way you are not hiring a migration team off cold outreach and hoping.
That is what CloudRoute does: you describe the data center once, we match you to a MAP-funded AWS partner with a real on-prem track record for your stack and region, the partner runs discovery through cutover, and the funding is arranged for you. Your job is to point at the dependency map and approve the waves.
These are the three ways a workload leaves the data center. They are not competitors so much as tools for different jobs — most estates use all three. Here is how they differ on the dimensions that actually drive the decision.
| Dimension | VMware Cloud on AWS | AWS Outposts | Native rehost (MGN) |
|---|---|---|---|
| What it is | Full VMware SDDC on AWS bare-metal | AWS hardware rack in YOUR facility | Source servers replicated to native EC2 |
| Best for | Evacuating a large vSphere estate fast | Latency / residency workloads that must stay local | Physical + VM servers going cloud-native |
| Change to the app | None — relocate VMs unchanged (HCX) | None — same AWS APIs, just on-prem | Minimal — same OS/arch, new home |
| Where it runs | AWS Region (dedicated hosts) | On-premises (in your data center) | AWS Region (standard EC2) |
| Operating model | Familiar VMware tooling | Native AWS, hybrid footprint | Fully native AWS |
| Cloud-native cost wins | Later (still VMware-shaped cost) | Limited (you still own the facility) | Immediate (right-sized EC2 + Savings Plans) |
| Role in the plan | Fast bridge off vSphere | Principled exception / hybrid bridge | The default destination for the estate |
Situation: The storage array was going off support and a refresh quote came in around $900K in capex for hardware that would run at ~20% utilization. One facility, single power feed, DR was a nightly tape job with an untested multi-day RTO. A warehouse management system needed low-latency links to floor scanners and could not simply move to a distant region. Internal ops team of three could not run a migration of this size alongside keeping the lights on.
What CloudRoute did: CloudRoute routed within 22 hours to a MAP-funded AWS partner with on-prem + VMware track record in the US Midwest. The partner ran AWS Application Discovery Service (agentless OVA across vCenter plus agents on the physical Windows boxes) for 3 weeks, sorted ~140 servers by the 7 Rs (18 retired outright as dead weight), and built the TCO in Migration Hub. Path mix: most vSphere VMs rehosted to native EC2 with MGN; the heavily-coupled finance stack relocated to VMware Cloud on AWS to hit the SAN deadline; the warehouse-management latency edge stayed on an Outposts rack in the surviving facility. Direct Connect (10 Gbps) plus a VPN failover landed during Mobilize; ~90 TB of file data moved via a Snowball Edge for the bulk and DataSync for the delta; the SQL Server estate cut over with DMS. Five cutover waves over the Migrate phase, low-risk apps first.
Outcome: Both data centers exited inside the SAN-refresh deadline; the $900K refresh capex was avoided entirely and replaced with consumption-based opex (steady-state right-sized + 1-year Savings Plans). DR is now cross-AZ with Elastic Disaster Recovery and a tested sub-hour RTO. MAP funded the engagement — Assess was free and AWS credited the large majority of the migration cost; the partner was paid through MAP. CloudRoute was paid by the partner. The customer ran the project at effectively $0 migration cost.
discovery: 3 wks · servers: ~140 (18 retired) · cutover waves: 5 · capex avoided: ~$900K · migration cost to customer: ~$0 (MAP-funded)
CloudRoute matches you to a MAP-funded AWS partner who handles discovery, networking, data transfer, and cutover. Assess is typically free; AWS credits the bulk of qualifying migrations. No forklift weekend, no cold-outreach migration crew.